store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Oct 31, 2014 5:02 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Internal DNS Block List - take two
Unread postPosted: Thu Sep 03, 2009 11:21 am 
Offline
Forum Regular
Forum Regular

Joined: Sun Nov 20, 2005 4:16 pm
Posts: 187
Location: Right Behind You!
I really didn't like my first effort at creating a dns block list that worked with plesk, so I went back to the drawing board. This one uses perl to watch the maillog in real-ish time for IPs sending rejected and good email, storing the info in a MySQL database. It will also give a bit of slack for senders that send mail that makes it through without getting tagged by spamassassin. This is really meant to replace all the other dnsbl lists in qmail, and use spamassassin to query them (and score them into oblivion) to build up your own. Doing it this way will have the added benefit of knowing who is being blocked, since qmail doesn't log rejected connections. After a configured time entries in the dns list are removed, and all entries also gradually drift back to a "neutral" stance.

By default you get 5 rejects before blocking, up to 15 rejects for hosts that send good email (5 + 1 for each clear message up to 10), entries live in DNS for 5 days, and any host that hasn't been seen in 180 days is removed from the database. All of which are configurable. You can use the spamassassin cf example from my first attempt to see how something like this works in your environment. After less than 24 hours of testing on my host, it was the number 3 hit rule - beat out only by AWL and RELAY_COUNTRY_US. See the sa-stats.txt file in the attached archive for detail - my list is RCVD_IN_ASBL.

Thoughts and critiques are welcome.


Attachments:
dnsbl.tar.gz [3.99 KiB]
Downloaded 168 times
Top
 Profile  
 
 Post subject: Re: Internal DNS Block List - take two
Unread postPosted: Fri Sep 04, 2009 12:12 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Nov 20, 2005 4:16 pm
Posts: 187
Location: Right Behind You!
Looks like it is back to the drawing board . . . again. For whatever reason the correct entry is in DNS, but the DNS blackhole service isn't stopping it. A tcpdump of dns traffic on loopback shows a response of NXdomain, rather than the expected hit (for some IPs). That makes no sense, as the IP is in there. Reloading DNS and xinetd make no difference.

Oh well. I modified the script to just blacklist/unblacklist the IP with ASL for now.

_________________
-Andy


Top
 Profile  
 
 Post subject: Re: Internal DNS Block List - take two
Unread postPosted: Fri Sep 04, 2009 1:17 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2094
Keep at it. This looks interseting :-)

Don't give up.

Faris.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: Internal DNS Block List - take two
Unread postPosted: Thu Oct 15, 2009 6:36 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Nov 20, 2005 4:16 pm
Posts: 187
Location: Right Behind You!
Well I opened a ticket with Parallels to deal with the inability to remove txt records from the command line. It has been put on the wish list for a future release, so I'm not holding my breath. Still, the non-optimal outright blocking the worst of the worst has worked extremely well. For the first time since I've been fighting spam (years!), my spam caught by spamassassin is BELOW my ham count. I was getting about 3-5 spam to each ham previously. Of course my sample size is fairly small - only a few hundred legit messages per day. It also reduced the CPU time to less than an hour per day. Sure it isn't exactly RFC to just drop connection attempts for port 25 on a mailserver, but like the pirate code - they're just guidelines anyway. ;)

I still have to figure out why the DNSBL approach fails so hard, since the goal is to centralize it for multiple boxes to query. Even with the TXT message thing, a wildcard DNS entry could give some basic info on how to de-list. I can't for the life of me figure out why it wouldn't query a local source. Oh well, I'll get back to it soon hopefully.

If anyone is using the perl script, please be aware there is a typo in it that will prevent de-listing from the ASL blacklist. PM me if you'd like the fix.

_________________
-Andy


Top
 Profile  
 
 Post subject: Re: Internal DNS Block List - take two
Unread postPosted: Fri Oct 16, 2009 11:43 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2094
Why not try it with rbldnsd instead of using Bind for the DNS side of things? I've been using it with great sucess and adding/removing an IP/TXT record is as simple as editing a file. It works perfectly in parallel with Bind (either on a dedicated public IP, or on a 127.0.0.x loopback IP or a Private IP, with a forward statement in named.conf )

Faris.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: Internal DNS Block List - take two
Unread postPosted: Fri Oct 16, 2009 12:34 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Nov 20, 2005 4:16 pm
Posts: 187
Location: Right Behind You!
I was trying for something that would work with a vanilla plesk install without changing the base system - drop in the script and sit back. I'm probably just making things harder for myself that way though. :)

_________________
-Andy


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Exabot [Bot] and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group